Troubleshooting Password Synchronization

Novell Cool Solutions: Tip

If your DirXML-enabled password synchronization solution isn't doing what it should in the way of synchronizing passwords, here's a tip from the support team.

The Problem

In some cases the nadLoginName attribute is not being created because the DirXML 1.1 security equivalent user does not have full rights to users container.

A case of mistaken case?

Password changes on Domain side do not work because during the install of Password Synchronization 1.0 for Windows the Domain name was typed in uppercase when it was really lowercase. Associations are case sensitive. When a password is changed on the Domain side, the service attempts to find the Domain object based on the name of the Domain and its association. When a password is updated on the Domain, Password Synchronization service uses the association-ref to find the eDirectory Domain object it is associated to. The information in the association-ref must be exactly the same information as the Association Object ID on the Domain object in eDirectory. This is found under the Domain object properties | DirXML Associations tab.

If the association-ref has the name in lowercase and the Association Object ID is in uppercase, then it will not find the Domain object and will be unable to read the indexDefinition for nadLoginName. Since it cannot read the nadLoginName then it cannot find the associated user and cannot update the password.

When installing Password Synchronization 1.0 for Windows the PasswordSync user object was not placed high enough in the tree to have rights to the users Domain object and server object hosting the service.

The Solution

In ConsoleOne:

Give the DirXML user full rights to the container where the users are created and modified.

Modify the DirXML association (Associated Object ID) on the Domain object to the exact information of association-ref in the DirXML trace.

Assign the PasswordSync to a higher level container in the tree so that rights flow down to the objects in eDirectory, i.e. users in eDirectory that are associated to the domain, the Domain object, the server object hosting the service. Assign the rights as specified per the installation instructions of DirXML Password Synchronization 1.0 for Windows.

For full information and updates regarding this tip, check TID-10070203